feat(kuma-cp) add Gateway TLS termination support

[jpeach]

Summary

Add support for terminating TLS sessions on Gateway listeners. Most of
the eventual TLS configuration is missing, but TLS 1.2 (and greater)
sessions can be terminated with reasonable defaults.

The approach we take in this PR is to add a new generator to build
the filter chain. Since HTTP and HTTPS protocols get different filter
chains, we separate the logic into two protocol-specific builders. HTTPS
listeners get a filter chain for each hostname, but HTTP listeners only
get a single shared filter chain. Unfortunately, this makes the lifetime
of the filter chain builder a little non-obvious.

Currently, both the server certificate and the CA certificate chain
must appear in the TLS secret, but this will change in subsequent PRs
to allow multiple certificates, and separate CA chain secrets.

Full changelog

N/A

Issues resolved

N/A

Documentation

N/A

Testing

• Unit tests
• E2E tests
• Manual testing on Universal
• Manual testing on Kubernetes

Backwards compatibility

• Add backport-to-stable label if the code is backwards compatible. Otherwise, list breaking changes.

[codecov-commenter]

Codecov Report

Merging #3044 (817cd32) into master (06d73bc) will decrease coverage by 0.01%.
The diff coverage is 52.80%.

@@            Coverage Diff             @@
##           master    #3044      +/-   ##
==========================================
- Coverage   52.29%   52.27%   -0.02%     
==========================================
  Files         919      922       +3     
  Lines       53116    53353     +237     
==========================================
+ Hits        27777    27892     +115     
- Misses      23116    23236     +120     
- Partials     2223     2225       +2     

Impacted Files	Coverage Δ
test/e2e/gateway/gateway_universal.go	0.00% <0.00%> (ø)
test/e2e/trafficroute/testutil/collect.go	0.00% <0.00%> (ø)
test/framework/universal_cluster.go	0.00% <0.00%> (ø)
pkg/tls/parse.go	30.00% <30.00%> (ø)
pkg/core/resources/apis/mesh/gateway_validator.go	92.77% <33.33%> (-2.23%)	⬇️
.../plugins/runtime/gateway/filter_chain_generator.go	76.92% <76.92%> (ø)
pkg/xds/envoy/secrets/v3/server_certificate.go	92.00% <92.00%> (ø)
pkg/plugins/runtime/gateway/generator.go	78.47% <100.00%> (-0.41%)	⬇️
pkg/plugins/runtime/gateway/listener_generator.go	90.32% <100.00%> (-4.13%)	⬇️
pkg/plugins/runtime/gateway/plugin.go	100.00% <100.00%> (ø)
... and 16 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 06d73bc...817cd32. Read the comment docs.

[lahabana]

Pretty big PR but the FilterChainGenerators make sense to me.